NCSC engagement director Alex Dewdney is leading government's new approach in working with UK industry to build a national cyber security community and capability

UK business should take cyber security seriously, not only because of its risks but also because of the opportunities, according to the National Cyber Security Centre (NCSC).

“UK businesses need to see and grab the opportunities to make progress like never before,” said Alex Dewdney, director for engagement and advice at the NCSC.

As demonstrated by the CyberUK conference in Liverpool, the time is ripe for moving beyond discussions to make meaningful progress in finding new ways to address cyber threats, he told Computer Weekly.

The NCSC believes collaboration is the key, and is itself an embodiment of the government’s strategy to harness British capability across all sectors to establish the UK as a world leader in cyber security.

“We are starting to think about the extent to which government needs to be more interventionist and active,” he said at the time, regarding how it takes on cyber security challenges in collaboration with industry.

Dewdney, formerly director of cyber security at the UK’s national technical authority for information assurance CESG, is now heading what he describes as the “service offering” of the NCSC.

“I run a number of teams whose job it is to get out and about and work alongside organisations [in all sectors] to find ways of improving cyber security for the UK,” he said.

Working with SMEs

Dewdney said the new “economy and society” team that sits alongside the more established teams will move into the new area of working with SMEs, wider business and the general public.

“We have already put something like 200 items of guidance on our website that is relevant to that sector, and we are starting to build an online portal for SMEs to find relevant help and guidance,” he said.

Because organisations are at different points in the journey towards understanding the importance of cyber security, Dewdney said his teams’ engagements with business will be based on both push and pull.

“Some organisations are saying this is what we have been waiting for. They want to have an easy way of accessing help and guidance from a public authority, while with others we will probably have to ‘push’ more to raise awareness of these issues, so it really depends on the maturity of the sector,” he said.

Engaging with government around cyber security

For organisations that want to engage with government around cyber security, Dewdney said there are more ways of doing so than ever before – all of which are set out on the NCSC website.

“There is also an inquiries line, and we are increasingly putting pointers in our online resources, but clearly there is going to be a limit to the extent to which the NCSC can deal with individual SMEs and users of technology, so a lot of what we do will have to be on a one-to-many basis,” he said.

This includes the NCSC’s work to produce a cyber assessment framework and maturity model for the financial sector that can also be applied more broadly.

“Many organisations would welcome a clear definition of what good looks like in cyber security, and an assessment framework is a repeatable way for each to assess if they are doing enough,” said Dewdney.

Making a plan of action

One-to-one engagements are more likely to be with organisations in the critical national infrastructure (CNI) sectors or with organisations impacted by threats of national significance.

In CNI cases, the NCSC will work with the lead department such as the Department for Culture, Media and Sport (DCMS) for the telecoms sector to agree a plan of action.

“We will get alongside the organisation to understand where the key risks are, what can we do to help mitigate those – which may be advising where to find help in the private sector.

“It is about making sure the risks are understood and that there is a reasonable programme of work put in place to mitigate those risks,” said Dewdney.

However, he emphasised that cyber security is not something that is only for medium to large organisations. “We see instances of very small companies being hit by cyber attacks,” he said.

Dewdney said he expects that providing basic security messages will always be part of the NCSC’s work, especially with smaller companies.

“At the very basic level, there are three key pieces of advice: always back things up, be cautious in terms of emails and websites, and keep systems and software up to date with security patches,” he said.

Building a cyber security ecosystem

At the broadest level, however, the NCSC is working with industry and academia to exchange ideas and capabilities to build what it terms a UK cyber security ecosystem and community.

“Another big part of doing things differently is the NCSC’s efforts aimed at encouraging innovation,” said Dewdney.

“The government is not going to come up with all of the best ideas by itself. The magic happens when get the right people together,” he said.

As part of this effort, the government is developing two innovation centres. One in Cheltenham, which is already helping SMEs develop products, and another planned for London in 2017 to work in partnership with industry to help and grow cyber security SMEs.

“Although the NCSC and the new innovation centre are in London, we are doing far more work regionally than used to be the case,” said Dewdney.

“Part of that is talking to the devolved authorities in Scotland, Wales and Northern Ireland, local authorities, and business groups that are often convened by a local enterprise partnership, which gives us a way of reaching local business communities in a way that we weren’t really doing before. We are a national cyber security centre, so it important that we continue to make that outreach,” he said.

Content Continues Below

Download this free guide

Getting Cloud Security Right

Let's face it, cloud security can be done very wrong. Let's learn to do it right.
Regular Computer Weekly contributor Peter Ray Allison explores this issue, weighing up the questions organisations should be asking of their cloud service providers, and whose responsibility cloud security should be.

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.